Wednesday, November 16, 2011

Episode 16: Knock knock. Who's there?

Security in the cloud. This is the re-occurring theme when the technology conversation turns to cloud computing. Usually that's followed by "Where's my data?" or "Who can get access to my data?" or "Do I have complete control of my own data?" Security in the last twelve months has become the real deal breaker, & issues experienced by a high profile name in the technology world like Sony really made alot of people who have been on the fence about whether to take some of their business critical systems into the Cloud.

Recently, the Ponenmon institute conducted a study that revealed that 67% of the IT professionals questioned admitted that their respective organisations were vulnerable to hackers due to lax firewall security. Scarier was that 42% of those surveyed said that were they breached or attacked, they'd have no way of knowing what was compromised. And it got worse with over half saying they were of the opinion that their staff had no knowledge about the potential risks of open firewall ports.

The full insights of that study would appear shocking to those outside the Cloud Computing industry, but to those in it, it's not, but it also isn't the full story. The study neglects the real root of the issue; good security governance from the desktop upwards in any infrastructure. The truth is, there seems to be a general lack of knowledge about security & the implications of security issues from the receptionist to the CEO, with no-one seemingly taking full responsibility for it. No-one drawing a line in the sand about where the buck truly stops.

People leaving their screens unlocked, downloading software, or opening e-mail attachments without care, providing the opportunity for those out there to re-enact a digital version of the siege of Troy. There's even less of a responsibility taken by those who code websites, or are designers-for-hire. Many don't seem to understand the platforms they are building for, or understand how the applications they design & build for clients work in the cloud.

The issue really comes down to one single fundamental questions; would any of us leave our wallet down for anyone to peruse at will or take? The answer is no, we wouldn't. Data in any business IS the wallet of the company. It has to be given the same reverence, respect & care. Sure, the questions about where your data is, or who has access to it are valid, but the real question any organisation must ask is simple & stark; do WE ourselves treat our data the way we expect our service providers to treat it?

As sure as you could establish a cloud solution with a cloud service provider, then pen test that to within an inch of its life, the more important pen tests need to be done within your own organisation. One of the continually growing areas of access compromise is people taking advantage of social engineering; the process of obtaining information and or access through deceit.

 People are still taking calls from people claiming to be from well known technology companies to run pieces of software on their machines, only to later find themselves compromised, exploited and or defrauded. People are still clicking on links in e-mails telling them to log on & confirm passwords. Ask any online gamer how often they've heard of someone getting compromised.

The simple truth of this is, no matter how good the hardware platform is, how good the process is from the service provider, & how good you think your staff is, the real threat to the security of your business comes from within. Your service provider is only as good as your own instructions, your own knowledge & understanding, & your own ideals, & those ideals being kept rigidly.

A degree of suspiciousness, caution & paranoia is not only healthy, but acceptable as well as needed in today's Digital Age. The level of concern about security in the cloud is really to do with business' own insecurity over its own processes, data handling ideals than what the service provider's level of security offers. If you can sleep well at night knowing your wallet is safe, shouldn’t your data in your business be able to feel the same?